Mandriva 2006 Install questions

Hi guys,
Installed ispconfig following the perfect setup.... Things went right and than diddn't and now its scrued up. No worry i want to reinstall the system anyhow. But getting deeper into all the infos in the process of my experiments i wonder about couple of things and i hope someone could clear things up befor i endeavour the next reinstall:
1) i would like to install in the paranoid security state (chrooted) or at least hightest. Does that give problems with ispconifig, and exactly what does?
2) i would rather use the standard Mandriva imap services (updates later on), does that give problems with ispc?
3) i would rather use the standard shorewall firewall and disable the firewall in ispc, does that...
4) i would rather use the sasl2 authentification thane the depriciated saslauthd, does that give problems?

Lots of questions but let mee say, it seems that ISPC is right on the spot! Looked long for a good opensource config panel and think i found it

Thanks for your reply,
The thing is i followed the tutorial but was a little concerned about security having had soem problems with that in the past. I already run 3 servers under mandrake but use the Higher setting, and than allow ssh by hand. Anything known if that causes trouble with ispc?

Email
When i install the standard imap i dont see anything aubout the "cyrus..." you state in the tutorial, ut maybe thats concealed buy the mardrake installer, so that what confused me.

Mail authentification
Ok, i followed some other thread on that. Since i am not an expert on this i guess ill follow your arumentation on that .

Firewall
Configuring the new ports in shorewall isnt really that big a problem (you have to to that for mysql anyhow, so thats answered for!

So what im really left with is the sec settings.. paranoid won't do, but what about higher? i woulndt mind setting some services back on again but i'll guess, since i am not an expert on this the overall system would be more secure than the standard install?! And what about the chrooted daemons everybody is talking about (bind, proftp) could i set that up together with ispc?

I think the standard install is already very secure because ISPconfig has its own firewall that blocks requests on all ports that you don't use. I've never tried the "Higher" setting together with ISPConfig so it's up to you to find out if this works.

I will do that and report back here, but still arent there exploits wich use just the opened ports? There are as far as i know many descriptions on how to secure lets say bind. So there has to be more on that issue?! Wouldn't you agree? Or for that matter would you consider a whole different distro, lets say the debian based Unbutu or fedora or suse?

Hi Falko,
So i got it working after all. The problrm with security settings under mandrake boils down to the "msec" checks. They alter the standard filesystem chmods and render ISPconfig not working. What wored for me was installing the system as described in the perfect setup guides and than switch on the security functions, all but msec checks. Maybe a seperate site should be set up to cover only the securing van linus under ispconfig...

Now than, of course i still hav some questions for you.
First of all the pop system. When connecting there is a strange lag between connecting and actual reading of the mail. Using thunderbird, or outlook express for that matter a connection is made right away but than everything stops for 15-20 secs before the password is asked and the mail begins to roll. Once mail is coming in everything goes fast and smooth. Trieed a telnet connection and there the popserver answered right away. so i am puzzled.

second:
from one of the sites specified (not all) the mail gets doubled to the Postfix account?? The settings for this mailaccount specifie a forward to [email protected] wich actually is a mailadress handled by the same system (as far as my knowledge reaches a forward to a mailrecipient on the same system should be done directly to the underlying pop account not to the email adress, but i am not shure if that is the problem.. So why or when would an email be send to the postfix account??

First of all the pop system. When connecting there is a strange lag between connecting and actual reading of the mail. Using thunderbird, or outlook express for that matter a connection is made right away but than everything stops for 15-20 secs before the password is asked and the mail begins to roll. Once mail is coming in everything goes fast and smooth. Trieed a telnet connection and there the popserver answered right away. so i am puzzled.

Click to expand...

Can you see anything related to this in the mail log?
Might also be a firewall problem or related to your security settings...

bersi said:

second:
from one of the sites specified (not all) the mail gets doubled to the Postfix account?? The settings for this mailaccount specifie a forward to [email protected] wich actually is a mailadress handled by the same system (as far as my knowledge reaches a forward to a mailrecipient on the same system should be done directly to the underlying pop account not to the email adress, but i am not shure if that is the problem.. So why or when would an email be send to the postfix account??

Falko,
here info about the forwaarding system, ill do some more checks on the popserver delay:

Forwarding:
2 domeins are registered within ispconfig on the same server x and y, both with each one user info@x and info@y (mail).
When i open the user definition for domain x an there put in a mailforward to info@y (the mailuser from y) and i swich on the keep local copy option, the mail send to info@x ends up in his box (as expected) but also in the postfix box on the system. This is anoying since this box is not emptied automatically and therefore could be flooded.

Forwarding:
2 domeins are registered within ispconfig on the same server x and y, both with each one user info@x and info@y (mail).
When i open the user definition for domain x an there put in a mailforward to info@y (the mailuser from y) and i swich on the keep local copy option, the mail send to info@x ends up in his box (as expected) but also in the postfix box on the system. This is anoying since this box is not emptied automatically and therefore could be flooded.

Click to expand...

Are info@x and info@y in /etc/postfix/virtusertable? What's in /etc/aliases?

I dont hav etc/aliases id do have an:
etc/postfix/aliases with the following:

# Default aliases file for postfix
#
# this file should be in /etc or in /etc/postfix but if you want it in
# /etc/postfix you'll have to adjust your /etc/postfix/main.cf file accordingly
#
# Aliases in this file will NOT be expanded in the header from
# mail, but WILL be visible over networks or from /bin/mail.
#
# Following alias is required by the mail protocol, RFC 822 (and by RFC2142)
# Set it to the address of a HUMAN who deals with this system's mail problems.
#
# For various security reasons, postfix WILL NOT deliver mail as root, so
# ensure that the root alias is aliased to a HUMAN user, as otherwise
# mail may get delivered to the $default_privs user (nobody).
postmaster: root

# Many mailers use this address to represent the empty SMTP return
# path
MAILER-DAEMON: postmaster

Hi Falko back again with a bit mor serious problem. Again mail for one user is routed to another, in this case there are 2 domains
-homeport.nl and
-homeportnoord.nl

now mail for homeportnoord.nl is routed to the homeport mailbox, even though no forward rules are visible in ispconfig. Furtermore it seemde to have worekd once but doesnt anymore. I looked in the virtusertable for postfix and indeed there are entrys wich lead mail for homportnoord.nl to the user (web14...) of homport.nl instead to the user of homeportnoord.nl (web15_...), but why that is, no idea.
borthe procmailrc are empty (only the first standard line is in place).

Ther is some striking difference between homeport en homeportnoord though: homeport.nl under the codomain tab has an entry with empty hostname (as all other domains have) but homeportnoord does not, and when i wat to set is it results in an error that ".homeportnoord.nl" already existst.

?????

by the way how do i trigger the makedb? i.e. make postfix virtuser db?

now mail for homeportnoord.nl is routed to the homeport mailbox, even though no forward rules are visible in ispconfig. Furtermore it seemde to have worekd once but doesnt anymore. I looked in the virtusertable for postfix and indeed there are entrys wich lead mail for homportnoord.nl to the user (web14...) of homport.nl instead to the user of homeportnoord.nl (web15_...), but why that is, no idea.

No it isn't. just homeport.nl without hostname is listed. On homeportnoord nothing is listed en homeportnoord.nl without hostname is not accepted (domain already exists)

OK HOLD THE PHONE!!
Fixed it: What was the case: homeportnoord.nl existed in trash bin and was originally made under homeport.nl. But Now we have a bug, because the domain was deleted and than there shouldn't be anymore mailrules built on this shouldn't there? even though the thing still sits in the trash bin?

Well i've emptied the trash bin, put the .homeportnoord.nl back in place under codomains of www.homeportnoord.nl and now everything is working fine. But i still think the above needs some thinking over!

OK HOLD THE PHONE!!
Fixed it: What was the case: homeportnoord.nl existed in trash bin and was originally made under homeport.nl. But Now we have a bug, because the domain was deleted and than there shouldn't be anymore mailrules built on this shouldn't there? even though the thing still sits in the trash bin?

Click to expand...

I've never seen something like this before...
Anyway, we've changed something in the code that handles Co-Domains, and it will be available in the next release. I think it might help to avoid problems like this one.

Ok,
Using the system for quite a while now and its of great value. But using ISP config of course raised further questions. Here is one of them:
I have installed the quota system for users and that is working good. But what concernes me are the error logs:
1) the errorlog is part of the users (websites) quota which can be annoying, but 2) the error log does rotate! it just keeps growing. and i havent figured out how delete is.
This leaves me with 2 things : when the error log keeps growing setting site quotas does not make much sense (in this cas that is, otherwise it can of course make sense since it warns the admin of problems at site level) and how do i get rid of an error log wich is actually above 1 GB?
thorsten